41st Parameter, part of Experian and leader in online fraud intervention, warns of the growing threat of cyber fraud and need for cybersecurity to protect customers and businesses

London, UK, Under embargo until 00:01am on Monday 24 November 2014 – New research published today from Experian, the global information services company reveals that one in six adults has fallen victim to a cyber-attack. Furthermore, sixty per cent of smartphone users, and almost half (48 per cent) of tablet users, said they had no malware protection on their devices, leaving them totally vulnerable to hacking by cyber fraudsters. This is despite nearly half using mobile phones for internet banking and one in three for online shopping and is against a backdrop of an 80 per cent increase in phishing attacks directed at mobile devices globally over the past year.

Cyber-attacks can be anything from phishing emails, which could result in a fraudster taking over an online account, a fraudster accessing personal details and then using them offline to commit fraud, to session hijacking attacks where a user’s browsing is interrupted by a hacker, monitored or even hijacked.

Ori Eisen, Founder of 41st Parameter and Experian fraud leader, comments:
“This year has proved a tipping point for smartphones and tablets. The rapid rise in demand for online banking and retail combined with very little security on devices has created a massive opportunity for cyber criminals leaving many people and businesses extremely vulnerable. There are approximately five billion connected devices globally, serving a billion online bank accounts and contributing $13trillion to global ecommerce sales and transactions. With so much at stake, the opportunities for fraudsters are countless and we need to do more – as an industry and as individuals – to protect ourselves.”

A survey of 2,000 UK adults showed that the vast majority of people recognise the need for safeguarding their PCs and laptops against online fraud threats, with 93 per cent claiming to have security or antivirus software installed. However when it comes to mobile devices, tablets or smartphones, it is a different story and many people are still vulnerable with little or no protection. This is reflected by the estimated 25 million unique strains of malware, resulting in an 80 per cent annual increase in phishing attacks, and 600 million customer information records hacked1.

Victims of cybercrime
Experian found that one in six UK adults who own a device, have already fallen foul to a cyber-attack in the last year. Laptops and PCs continue to prove the most vulnerable devices to attack with a majority (83 per cent) of users having fallen victim to cybercrime; however, more than a fifth (21 per cent) suffered a smartphone attack and almost one in six (17 per cent) suffered a tablet attack.

The findings come at a time when smartphones and tablets have become an integral part of daily life, providing instant access to websites, apps and games but also creating huge opportunities for fraudsters. Use of tablet computers to access the internet among adults has almost doubled from 16 per cent in 2012 to 30 per cent in 2013, and nearly two-thirds (59 per cent) of people access the internet through a mobile phone, up by six per cent since 20122.

According to the research from Experian, almost half (45 per cent) of smartphone or tablet users have used either device to check their online bank balance, while a third (33 per cent) have paid for an item using an online app, and more than a quarter (27 per cent) have transferred money to another person using an online banking app. Other uses include providing mobile ID verification (14 per cent) and applying for financial services (12 per cent). While this offers excellent convenience with organisations providing highly secure processes for accessing their services via mobile devices, fraudsters can still take advantage of devices which do not have adequate security installed and it is vital people take steps to safeguard their own position simply by being aware of potential threats.

Ori Eisen added:
“The growth in online and mobile for retail transactions and online banking has meant that validating identities online has become increasingly complex for businesses. Organisations need to adapt their systems to not only provide the online service that their customers want but at the same time protect customers and their business from fraud.

“Device intelligence is one way businesses can verify and authenticate customers using their device information. Every time a customer logs into a bank website, retail or commercial site, the technology is designed to flag inconsistencies and potential fraudulent activity to help reduce cases of fraud and protect both the individual and the business.”

Biggest security threats
When asked what was perceived to be the biggest security threat to smartphones, laptops and / or tablets, 30 per cent of UK adults said malware (malicious software being put onto their device to access their information). Other perceived security threats included a data breach (details being stolen from an organisation the user does business with) at 16 per cent, theft (physical theft of a device) at 11 per cent and phishing (being tricked into giving their personal details on email or over the phone) at 10 per cent.

Reasons for not having security software
The survey findings suggest it is not that users don’t recognise the seriousness of online security; in fact, two-fifths (41 per cent) of device owners think they are vulnerable to security threats and viruses. Instead, 12 per cent say they hadn’t taken any preventative measures on their smartphone or tablet because they thought they were automatically provided with protection from their mobile service provider. A further 8 per cent believe fraud protection software is too expensive and 8 per cent thought they were protected by the organisation they had made a transaction with. Only a third (29 per cent) of respondents claimed they didn’t have anti-virus software installed because they weren’t aware they needed it.

How you can better protect your mobile device and your personal information:

Smartphones can hold a wealth of information, from cached passwords to online accounts and apps, contacts and other personal information. As we move into the holiday season and online shopping increases, people should try to follow these best practices to ensure they are protected:

1. Always use a home screen lock on your mobile device.
2. Don’t store account names and passwords or digital pictures of your passport.
3. Remember that public Wi-Fi networks are riskier than private networks, so be careful with the information you access and share when out and about.
4. Your email account is linked to many other accounts and can hold a large amount of personally-identifiable information. Beware of phishing – if an email seems suspicious, don’t open it or click on any links within the email. A legitimate company will never ask for your account details via email. If contacts have received emails from you that you did not send, change all your online passwords immediately.
5. Social media sites can reveal your date of birth, maiden name, email address and enough information to help a fraudster identify possible PIN and/or passwords. Consider how much you really need to share.

People who think they have become victims of identity fraud should notify the police, contact their bank and check their credit report. The Experian's Victims of Fraud service is available as a benefit of your Experian CreditExpert subscription and has a dedicated team on hand to give expert advice and support tailored to victims’ particular circumstances.
For further information, visit: www.experian.co.uk.


1 *Sources: Experian 41st Parameter, Gartner, IDC and Bloomberg.

2 Research conducted by Ofcom http://media.ofcom.org.uk/news/2014/tablets-help-drive-increase-in-older-people-going-online/

Please see below for a detailed table of cyber-fraud threats and top tactics for fraudsters:

Tactic Description Victims
Phishing attacks

Fraudsters create bogus websites, apps and emails that look like they come from legitimate companies in order to dupe victims into providing their genuine login, passwords and other credentials. These details are then used to steal money from the victim’s account.

Phishing attacks occur where the legitimate user has malware on their device and are redirected to a “fake” login screen rather than the actual one.

Consumers & businesses
Session hijacking attack

The fraudster secretly lies in wait for a victim to start a session and then takes over control of the session to make an unauthorized transaction. Malware is typically the source or culprit enabling fraudulent access; but whereas phishing attacks redirect users to a fake login site, session hijackers wait for the legitimate user to log into the official site. Following authentication the attacker is able to change the customer’s contact information associated with the account or to submit fraudulent transactions behind the scenes, as part of the same authenticated session.

This attack is less common than phishing attacks because it requires direct session intervention by the fraudster – he/she must initiate a fraudulent transaction while the legitimate user is logged into the session.
Consumers & businesses
Session Replay attack

Fraudsters use malware to capture complete session details including the login credentials and passwords which they later “replay” to trick companies into allowing unauthorized account access and diversion of funds, goods and services.

A fraudster monitors legitimate accountholder transaction activity and captures the Javascript payload and HTTP headers from the transaction. The attacker then manipulates certain elements of the data (for example, changing the beneficiary information and modifying the transaction amount on a wire transfer) and resubmits the event with an identical Javascript payload.

Consumers & businesses
Man-in-the-browser attack The fraudster is transacting simultaneously to the legitimate user. This requires significant coordination and preparation by the attacker because his/her manipulation of transaction details would need to be in-stream and prior to the legitimate user clicking the Submit button. As the legitimate user is preparing transaction details, the attacker is changing account, amount, and other transaction details – so the customer believes that he/she is submitting one transaction, while the attacker is manipulating all of the transaction details behind the scenes. Consumers & businesses

About the research

Opinium Research carried out an online survey of 2,002 UK adults aged 18+ from 11th to 16th July 2014. Results have been weighted to nationally representative criteria. www.opinium.co.uk

For more information please contact

Fran Chitoriski



0207 566 9727

About Experian

Experian is the leading global information services company, providing data and analytical tools to clients around the world. The Group helps businesses to manage credit risk, prevent fraud, target marketing offers and automate decision making. Experian also helps individuals to check their credit report and credit score, and protect against identity theft.

Experian plc is listed on the London Stock Exchange (EXPN) and is a constituent of the FTSE 100 index. Total revenue for the year ended 31 March 2014 was US$4.8 billion. Experian employs approximately 16,000 people in 39 countries and has its corporate headquarters in Dublin, Ireland, with operational headquarters in Nottingham, UK; California, US; and São Paulo, Brazil.
For more information, visit http://www.experianplc.com.